Over the past few months, multiple human rights organizations all over the world have been hit by spear-phishing attacks designed to trick aid workers into revealing their credentials. According to Lookout researchers who uncovered the campaign, a list of victims includes more than a dozen organizations with the Red Cross, UNICEF, UN World Food, and UN Development programs to name a few.
The campaign has been active since March 2019, with the two domains [session-services[.]com and service-ssl-check[.]com] used to host the phishing content being associated with IP network block and ASN (Autonomous System Number) that have been known to host malware in the past.
The campaign uses several noteworthy techniques, including the ability to detect mobile devices and to log keystrokes directly as they are entered in the password field.
Lookout also found that the hackers embedded the key logging functionality in the password field of the phishing login pages, allowing them to collect the data even if victim doesn’t complete the login activity or inserts unintended password.
The attackers also use SSL certificates meant to add credibility to the phishing pages. Out of all certificates used in this campaign so far, only six of them are still valid, suggesting that these attacks may still be ongoing.
“SSL certificates used by the phishing infrastructure had two main ranges of validity: May 5, 2019 to August 3, 2019, and June 5, 2019 to September 3, 2019,” the researchers said.
The research team hasn't been able to attribute the campaign to any particular group or country. As for the motive of this attack, its goal is to compromise Okta and Microsoft credentials to gain access to these accounts, which could be used for further attacks or intelligence gathering, the researchers said.
The full list of the targeted organizations, including the URLs and other IoCs is available at the end of Lookout’s report.